Menu

Setting up EdgeRouter X with LAN segregation and VPN access

This article is going to show how I redesigned my home network to serve some new purposes.

Objectives

Two Networks (both with Wifi and Ethernet).

Main Network

IoT/VPN Network

Segregation for the IoT Network. Devices should not be able to access anything on the Main Network.

IoT Network needs to be on a permanent VPN (this is for using geo-restricted services such as BBC iPlayer).

IoT Network traffic should go through the VPN.

Main Network traffic should go via my normal ISP.

No VLANs. I don't want to spend a tonne on new hardware, so I am planning to use existing hardware I have, most of which will not support VLANS etc, so I decided to just avoid them completely. This does mean my setup is simpler (IMO).

Have a fail-safe management network for troubleshooting I may come back to this later.

Hardware

I have a tonne of hardware around the house, so ideally I didn't want to buy anything. I will outline what I have used, but most of the devices are standard devices so anything should do.

I did buy a Ubiquiti EdgeRouter X as the central point of the network. This is an inexpensive and highly flexible device that I strongly recommend. It is the only non-generic device used in the guide below.

Netgear DGND3700v2 (This is just a left over router that I had lying around from a previous installation)

Network Diagram

Below is a crude diagram of my desired network. The obvious part that is missing is a modem between the EdgeRouterX and "The Internet", but I don't feel it is relevant to this particular scenario.

I am actually using the router/modem supplied with my internet connection here. All I did was put it in Bridge Mode so I was not double NAT'ing. This means that the Eth0 interface on the EdgeRouter X was given an IP address from my ISP.

The Steps

Rather than try to set this all up in one go, I decided to break it down into steps and get each part working correctly.

Basic EdgeRouter X Setup

Main and VPN network setup (Wifi)

VPN Network segregation

OpenVPN Setup

Final Routing of VPN Network to VPN provider

Basic EdgeRouter X Setup

There are plenty of basic setup guides for the EdgeRouter X and I really don't want to repeat them in detail here, so I will just give a rough outline here.

Set the IP address to Manually define IP address with the value 192.168.3.1/24

UPDATE

Remember to alter the DNS forwarders to remove switch0 and add eth2. This is done in the services section of the EdgeRouter X config.

Summary Video

Here is a a video summary of the previous section.

Configure the Wifi Access Points for each network

As I mentioned above, I am using two random home routers as Wifi access points for each network. I do not think it would be valuable for me to go through the configuration of each router specifically, but I will outline some key points here.

Each router/access point should have a statically defined IP address within the range of the network it is connected to.

Main Network Access Point: 192.168.4.2

VPN Network Access Point: 192.168.3.2

Each router/access point should be in Access Point mode (if applicable). In my case, the Asus RT-AC3200 has an Access Point mode, but the Netgear DGND3700v2 does not. This doesn't particularly matter as long as you configure it correctly.

Cables from the EdgeRouter X should go into a normal switch port on the access points (not the internet port).

DHCP should be disabled on each of the access points.

Summary Video

Here is a summary video:

Making sure the Internet works

Segregating the networks

Now we want to segregate the networks. The idea here is that I don't want any device on the IoT/VPN Network to be able to access the Main Network.